European Commission Keeps Up Pressure On GDPR

The EU General Data Protection Regulation (GDPR) will apply to businesses operating in the EU from 25 May 2018 – in 100 days’ time.

Senior Commissioners Ansip (Digital Single Market) and Jourová (Justice) yesterday announced guidelines and other materials to “facilitate a direct and smooth application of the new data protection rules across the EU [and beyond] as of 25 May.” The guidance comprises a 17-page “communication” plus Q&A, an online tool, and factsheets. The Communication recaps the main innovations and opportunities opened up by the GDPR; takes stock of EU-level preparatory work; and outlines next steps for the Commission, national data protection authorities, and national governments. The Commission is raising the ante by recommending that EU governments now adapt their national legislation to the GDPR rules; data protection authorities apply the rules including through fines; and companies respect the new rules as at 25 May. The Commission itself will monitor the application of the new rules and “take appropriate actions, including proceedings against EU counties which fail to apply the new rules.”

Flavor of the month or more ominous?

We would say the latter and detect a concerted effort by the Commission and national DPAs to enforce quickly after the application date. The Commission will also want to report favorably on its and others’ enforcement efforts when reporting on the GDPR (in 2020).

This latest broadside also addresses the elephant in the room – Brexit. On 9 January, the Commission issued a notice warning all stakeholders processing personal data to consider the “legal repercussions” of Brexit. This note was not well received. The guidelines confirm that, as of the EU withdrawal date and subject to any transitional arrangement, the GDPR rules on transfers outside the EU, i.e. to “third countries,” will apply to the UK.

Stewart Baker

Stewart served as the first Assistant Secretary for Policy at the Department of Homeland Security where he set cybersecurity policy, including inward investment reviews focused on network security. More

About This Blog

Steptoe Cyberblog, with its sometimes contrasting insights, serves up opinionated and provocative thoughts on the issues — especially cybersecurity and privacy — that arise at the intersection of law, information technology, and security.

Stay Connected To Steptoe

About Steptoe

Steptoe & Johnson LLP is an international law firm widely recognized for vigorous advocacy in complex litigation and arbitration, successful representation of clients before governmental agencies, and creative and practical advice in guiding business transactions. The firm has more than 500 lawyers and other professionals in offices in Beijing, Brussels, Chicago, London, Los Angeles, New York, Phoenix, San Francisco and Washington. For more information, visit the Steptoe website www.steptoe.com or contact us directly by visiting our Contact Page.